2 Answers
2

You can't lock/disable SYSDBA accounts (e.g., SYS), due to the fact that they don't authenticate to the database in the same way. Here's a little test I ran on a regular user that I granted SYSDBA to, then locked the account. The user can still get in as SYSDBA, just not as a normal user:

Of course, if I can get in as a SYSDBA user, then I can just unlock my account and get in as a normal user again.

I'm not sure why you would actually want to do this. It doesn't seem like a good idea. If you could actually lock the SYSDBA accounts, you could render your database inaccessible. Aside from SYS and SYSTEM, all accounts created by Oracle when the database is created are locked by default anyway. What are you trying to accomplish?

This scenario means you're pretty much screwed anyway. It also assumes you can't modify the sqlnet.ora file where the authentication_services parameter is defined, else you could set it back to NTS to allow OS authentication (assumes windows).

If all superusers are locked, then how do you recovered?
–
jackApr 27 '10 at 10:21

I show you in the example I gave. A SYSDBA user is authenticated either by the OS (connect / as sysdba) or by the password file (connect sys as sysdba), not by the typical DB login security. You cannot lock a user that has been granted SYSDBA privilege in order to prevent them from logging in as SYSDBA.
–
DCookieApr 27 '10 at 14:37

I'm not trying to accomplish, but I'm trying to ask if admin accounts can be disabled or locked. Thank you so much for your answers. I appreciate it.
–
jackApr 29 '10 at 7:19

You can prevent sysdba accounts from logging in remotely by setting REMOTE_LOGIN_PASSWORDFILE to none. The sysdba users can only authenticate using the "connect / as sysdba" while logged into the computer the database is running on.

But you still would have to answer why you want to do this. And what you mean by undesirable effects.